Keywhiz vs Vault

Overview

Keywhiz

Stacks12

Followers50

Votes3

GitHub Stars2.6K

Forks216

Vault

Stacks816

Followers802

Votes71

GitHub Stars33.4K

Forks4.5K

Keywhiz vs Vault: What are the differences?

Keywhiz vs Vault

Keywhiz and Vault are both popular tools used for secret management in the field of information security. While they serve a similar purpose, there are several key differences that distinguish them.

Architecture: Keywhiz is a centralized secret management system, where secrets are stored on a central server and clients retrieve them when needed. On the other hand, Vault follows a distributed architecture, where secrets are securely distributed across multiple servers. This distributed approach provides higher availability and fault tolerance.
Security Model: Keywhiz primarily uses asymmetric encryption for securing secrets, where the server encrypts secrets and clients can decrypt them using their private keys. In contrast, Vault utilizes a combination of symmetric and asymmetric encryption. It dynamically generates encryption keys for each secret and encrypts them using symmetric encryption, and stores these encryption keys using asymmetric encryption.
Scaling: When it comes to scaling, Keywhiz has some limitations. It is designed for smaller deployments and may face difficulties in managing a large number of secrets. On the other hand, Vault is highly scalable and can handle large-scale deployments effectively. It uses a sharding technique to distribute secrets across multiple instances, ensuring efficient scaling.
Authentication: Keywhiz supports only a limited set of authentication methods, such as TLS client certificate authentication and username/password authentication. Vault, on the other hand, offers a wide range of authentication options, including tokens, LDAP, GitHub, AWS IAM, and more. This flexibility allows organizations to integrate Vault seamlessly into their existing authentication infrastructure.
Auditing and Monitoring: Keywhiz lacks comprehensive auditing and monitoring capabilities. Although it provides basic logging functionalities, more advanced auditing features are missing. In comparison, Vault offers robust auditing and monitoring features, including detailed logging, audit trails, and integration with external monitoring services.
Secret Storage: Keywhiz stores secrets in a database backend, which can be a potential single point of failure. Vault, on the other hand, supports various storage backends, including disk, MySQL, PostgreSQL, and cloud providers like AWS S3. This flexibility allows organizations to choose a storage backend that meets their specific requirements in terms of performance, security, and scalability.

In summary, Keywhiz and Vault differ in terms of architecture, security model, scaling capabilities, authentication options, auditing capabilities, and secret storage options. Choosing between them depends on the specific needs and requirements of an organization's secret management infrastructure.

Share your Stack

Help developers discover the tools you use. Get visibility for your team's tech choices and contribute to the community's knowledge.

View Docs

CLI (Node.js)

Manual

Detailed Comparison

Keywhiz	Vault
Keywhiz is a secret management and distribution service that is now available for everyone. Keywhiz helps us with infrastructure secrets, including TLS certificates and keys, GPG keyrings, symmetric keys, database credentials, API tokens, and SSH keys for external services — and even some non-secrets like TLS trust stores. Automation with Keywhiz allows us to seamlessly distribute and generate the necessary secrets for our services, which provides a consistent and secure environment, and ultimately helps us ship faster.	Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.
Keywhiz Server provides JSON APIs for accessing and managing secrets. It is written in Java and based on Dropwizard.;KeywhizFs is a FUSE-based file system, providing secrets as if they are files in a directory. Transparently, secrets are retrieved from a Keywhiz Server using mTLS with a client certificate.;Presenting secrets as files makes Keywhiz compatible with nearly all software. Outside of Keywhiz administration, consumers of secrets only have to know how to read a file.;KeywhizFs stores all secrets in memory only and never persisted to disk. If KeywhizFs is unmounted or the server loses power, all secrets will be safely removed from that server.;To mitigate a Keywhiz Server outage, KeywhizFs maintains a local cache of previously accessed secrets. Unless the server is rebooted or KeywhizFs unmounted, applications can happily continue accessing secrets previously accessed.;Keywhiz CLI is a Java program for Keywhiz administration. Clients, secrets, and groups can be queried, added, removed, or associated with each other. Users can authenticate and use the CLI.;Keywhiz UI is web app for Keywhiz administration, similiar to Keywhiz CLI. The UI is built with AngularJS. Users can authenticate and use the UI.;Keywhiz makes heavy use of mTLS and X509 certificates. It can even help distribute and rotate them for other services! There is the assumption of a PKI system though. If one does not exist or a PKI is wanted for development consider certstrap for a simple, initial PKI.	Secure Secret Storage: Arbitrary key/value secrets can be stored in Vault. Vault encrypts these secrets prior to writing them to persistent storage, so gaining access to the raw storage isn't enough to access your secrets. Vault can write to disk, Consul, and more.;Dynamic Secrets: Vault can generate secrets on-demand for some systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it asks Vault for credentials, and Vault will generate an AWS keypair with valid permissions on demand. After creating these dynamic secrets, Vault will also automatically revoke them after the lease is up.;Data Encryption: Vault can encrypt and decrypt data without storing it. This allows security teams to define encryption parameters and developers to store encrypted data in a location such as SQL without having to design their own encryption methods.;Leasing and Renewal: All secrets in Vault have a lease associated with it. At the end of the lease, Vault will automatically revoke that secret. Clients are able to renew leases via built-in renew APIs.;Revocation: Vault has built-in support for secret revocation. Vault can revoke not only single secrets, but a tree of secrets, for example all secrets read by a specific user, or all secrets of a particular type. Revocation assists in key rolling as well as locking down systems in the case of an intrusion.
Statistics
GitHub Stars 2.6K	GitHub Stars 33.4K
GitHub Forks 216	GitHub Forks 4.5K
Stacks 12	Stacks 816
Followers 50	Followers 802
Votes 3	Votes 71
Pros & Cons
Pros 3 Fuse FS	Pros 17 Secure 13 Variety of Secret Backends 11 Very easy to set up and use 8 Dynamic secret generation 5 AuditLog

What are some alternatives to Keywhiz, Vault?

Doppler

Doppler’s developer-first security platform empowers teams to seamlessly manage, orchestrate, and govern secrets at scale.

IBM SKLM

It centralizes, simplifies and automates the encryption key management process to help minimize risk and reduce operational costs of encryption key management. It offers secure, robust key storage, key serving and key lifecycle management for IBM and non-IBM storage solutions using the OASIS Key Management Interoperability Protocol (KMIP).

Docker Secrets

A container native solution that strengthens the Trusted Delivery component of container security by integrating secret distribution directly into the container platform.

AWS Secrets Manager

AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

EnvKey

Securely store config and manage access in an end-to-end encrypted, auto-syncing desktop app. Connect your apps in minutes in any language with an environment variable and a line or two of code.

Knox-app

Knox is a SaaS (Secrets as a Service) that helps you manage your keys, secrets, and configurations. Start in minutes and close the widest security breach. You cannot keep storing secrets in your git repo or sharing them by email or slack me

Infisical

It is an open-source, end-to-end encrypted (E2EE) secret manager that enables teams to easily manage and sync their environment variables.

Confidant

Confidant is a open source secret management service that provides user-friendly storage and access to secrets in a secure way, from the developers at Lyft.

Torus CLI

Torus simplifies the modern development workflow enabling you to store, share, and organize secrets across services and environments. With Torus, you can standardize on one tool across all environments. Map Torus to your workflows using projects, environments, services, teams, and machines.

Keeper Secrets Manager

It is a fully managed cloud-based, zero-knowledge platform for securing infrastructure secrets such as API keys, database passwords, access keys, certificates and any type of confidential data.

Related Comparisons

Keywhiz vs Vault: What are the differences?

Keywhiz vs Vault

Keywhiz and Vault are both popular tools used for secret management in the field of information security. While they serve a similar purpose, there are several key differences that distinguish them.

Architecture: Keywhiz is a centralized secret management system, where secrets are stored on a central server and clients retrieve them when needed. On the other hand, Vault follows a distributed architecture, where secrets are securely distributed across multiple servers. This distributed approach provides higher availability and fault tolerance.
Security Model: Keywhiz primarily uses asymmetric encryption for securing secrets, where the server encrypts secrets and clients can decrypt them using their private keys. In contrast, Vault utilizes a combination of symmetric and asymmetric encryption. It dynamically generates encryption keys for each secret and encrypts them using symmetric encryption, and stores these encryption keys using asymmetric encryption.
Scaling: When it comes to scaling, Keywhiz has some limitations. It is designed for smaller deployments and may face difficulties in managing a large number of secrets. On the other hand, Vault is highly scalable and can handle large-scale deployments effectively. It uses a sharding technique to distribute secrets across multiple instances, ensuring efficient scaling.
Authentication: Keywhiz supports only a limited set of authentication methods, such as TLS client certificate authentication and username/password authentication. Vault, on the other hand, offers a wide range of authentication options, including tokens, LDAP, GitHub, AWS IAM, and more. This flexibility allows organizations to integrate Vault seamlessly into their existing authentication infrastructure.
Auditing and Monitoring: Keywhiz lacks comprehensive auditing and monitoring capabilities. Although it provides basic logging functionalities, more advanced auditing features are missing. In comparison, Vault offers robust auditing and monitoring features, including detailed logging, audit trails, and integration with external monitoring services.
Secret Storage: Keywhiz stores secrets in a database backend, which can be a potential single point of failure. Vault, on the other hand, supports various storage backends, including disk, MySQL, PostgreSQL, and cloud providers like AWS S3. This flexibility allows organizations to choose a storage backend that meets their specific requirements in terms of performance, security, and scalability.

Keywhiz vs Vault

Overview

Keywhiz vs Vault: What are the differences?